User IDs and Passwords
Most computer systems today rely on a Userid / password combination to control access and to protect the data that resides on the systems. This means that the strength of the protection mainly relies on the length and complexity of the password that people choose to use. It is easy to select passwords that are easy to remember and are similar to previous password used. Passwords should be easy for individuals to remember but they should also be hard for others to guess.
Here are some best practices when choosing, maintaining, and protecting your passwords:
- Make sure your password is at least 8 characters long
- DO NOT share passwords except in true emergency circumstances or when there is an overriding operational necessity. Be sure to change your password immediately after sharing. In an emergency situation, be absolutely certain to whom you are giving your password, and how it will be used. Getting someone to reveal a password by deceit or lying is called "Social Engineering" and can be very effective in gaining unauthorized access to computer systems. Under normal circumstances a password should never be shared, but if it is, change it immediately after usage.
- DO NOT - repeat - DO NOT write passwords on sticky notes, desk blotters, calendars, or store it under your keyboard, under your phone, or online where it can be accessed by others. This is one of the most frequent ways unscrupulous users gain unauthorized access to computer systems.
- Use a password with mixed-case letters, numeric characters and punctuation (where supported by the operating system). Do not just capitalize the first letter, or add a number at the end. The more complex a password, the longer it will take to crack
- -Use a password that can be typed quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by looking at your fingers while you type. This is known as "shoulder surfing."
- Change passwords regularly. The more critical an account to network integrity (such as root on a Unix host or Administrator on Windows), the more frequently the password should be changed. This makes your password a "moving target" and makes cracking and brute force attacks less effective. Regular password changes can also stop continued access of an already compromised account. Change passwords at least every 90 days
- Try one of the following methods for password selection:
Explore using two words separated by a number or punctuation, like "Pro%F0otball" or "l|0n&dog"
Take a word and change the case on some of the letters. Then, either insert a letter or punctuation, or replace some letters with numbers or punctuation (but avoid common substitutions like a->4, I->1). Even better, use a combination of insert/replace: (Example: bomber -> b0mBer -> b0m&Ber -> %0m&Ber)
This may be the best option for creating a complex password without having to remember it. Start by choosing an area of the keyboard to use for your password. Next, decide on a pattern for the password. For example, take the upper-left quadrant of the keyboard and create two lines using 2ws3ed3e or, better yet, combine that sequence which shift characters to get 2ws#ED3e. With this method, you don't have to memorize any passwords, you simply have to remember where the pattern starts on a keyboard.
- DO NOT use the word "password" as your password, in any form (reversed, capitalized, or doubled). This is not a joke, people actually do this.
- DO NOT use a login ID in any form (reversed, capitalized, or doubled) as a password.
- DO NOT use common names of people or places as a password.
- DO NOT use keys in a natural progression, like "QWERTY", or "1234", or "abcabc".
- DO NOT use a word (forward or reversed) contained in English or foreign dictionaries, spelling lists, or other word lists. These types of passwords are among the easiest to crack. On a moderately fast computer, it is possible to crack a dictionary word-based password in seconds. It is important to remember that generally a computer is doing the guessing, not a human. A computer can be programmed to search through any list of words and try any algorithmic variation. The ways in which users choose passwords are well known to the authors of password cracking programs.
- DO NOT use words that are acronyms, technology terms, geographical locations or product names (dictionaries for these exist, too).
- DO NOT use a password that is simply a word either preceded or followed (or both) by a non-alphabetical character.
- DO NOT use passwords that match a dictionary word with common "number-for-letter" substitutions. Examples: a->2, a->4, b->8, e->3, h->4, I->1, l->1, o->0, s->$, s->2, s->5, z->5, etc. as in: airplane -> 4irpl4ne -> 41rpl4ne -> 41rpl4n3)
- DO NOT use passwords that are words with vowels deleted, or are made lowercase then reflected. (Example: mechanic -> mchnc, or Super -> superrepus).
- DO NOT use information easily obtained about you. This includes your first, middle or last name in any form, your initials or any nicknames you may have, spouse or children's names or birth dates, pet names, license plate numbers, telephone numbers, ID numbers, the brand of your automobile (or the one you wish you had), the name of the street you live on, and so on. Such passwords are very easily guessed by someone who knows the user.
- DO NOT use passwords that are so complicated they have to be written down. See above.
- DO NOT use passwords that you have used in the past.